The IT background of David Ralph, senior vice president of risk management at Hong Kong-based telecommunications company PCCW Limited, has never been more relevant than in today’s risk landscape

Before joining PCCW in 1992, when the company was known as Cable & Wireless HKT Limited, Australian-born Ralph held a number of information security positions in Australia and the UK.

“I started some 30 years ago back in Australia and got involved in information security with one of the insurance companies in Australia at the time,” says Ralph.

”That was the very early days of information security and it was a very different IT environment in those days.”

After a few years in the Australian IT landscape, Ralph moved to the UK where he worked as an information security contractor for local councils, insurance companies and telecommunications concerns.

For Ralph, the transition from IT security to risk management was a gradual and largely organic process.

“I then got an offer to come out here [to Hong Kong in 1992] to help my current employers [PCCW] set up their information security departments,” says Ralph.

“They were just moving into new IBM mainframes at that stage, and they were advised that they needed information security.

“We then went through a process there where we were looking to outsource a large part of the IT department and I got involved in that and looked at the various risks associated with the IT side in outsourcing, mainly from an IT security perspective still.

“I also got involved in the contract negotiations, contract drafting and the various contract risks.”

Ralph says that in 1998 he started formally transitioning from his IT role into general risk management.

“Then, in 2000, I was asked to take on the insurance responsibilities [at PCCW],” he explains.

“And now, while I still have a strategic responsibility for the group’s information security, I am more focused on general risk management activities.”

Ralph explains that his transition into risk “just made sense”, especially with information systems going from a small “nice to have” to being a core function of the business.

“We have gone through the evolution of that process, and at the same time the risks we were looking at have become more and more IT-focused,” he says.

“So it made a lot of sense to just carry that through. I was getting more involved in the other types of risk which sat around that [IT side], so it was a logical evolution for me.”

Ralph insists that his IT background has been very beneficial to his risk role. “As an IT, telecoms and media firm, these are IT-type businesses,” he says. “So not only do we rely on IT for billings and aspects like that, but the underlying infrastructure is IT-based for everything we are providing.”

Ralph says his IT knowledge has also assisted when people have tried to inform him that a certain area of technology has minimal, or no, risks.

“I have a reasonable amount of respect and authority when it comes to discussing what the risks actually are, and it enables me to work more closely with the technical teams,” he says.

Broad range of risks

Explaining his daily role at PCCW today, Ralph states that much of his role involves working closely with the firm’s various business units.

“I work with those business units looking at what their projects are, identifying risk areas and helping to mitigate whatever those risks are,” says Ralph

“We look at a broad range of risks, including operational, environmental, or information and network security-based risks.

“We try and help those business units understand and develop their proposals so they are aware, and can address, those various risks issues.”

Maintaining various governance issues by working closely with legal and regulatory groups in the business to develop corporate policies is also a central part of Ralph’s role.

“We also do awareness programs and training on security, especially a lot of information security awareness training to the business units,” he says.

“We do a lot of reviews of contracts to assess them from a risk perspective and provide advice back through the legal channel to business units in how they should they be looking to change the risk profiles we are accepting under various contracts.”

Ralph’s says that one of the biggest challenges relating to cyber risk is the lack of a full appreciation of the global nature of this risk.

“From a management perspective, I believe that senior management and board level [executives] do not appreciate the dependencies of any sort of business, and the continuation of their business relies on the information systems,” he says.

“It has become relevant that risk teams have a good understanding of information systems and security around them in order to start to address cyber risks.

“Most of my team are made up of people who have come from the information systems side, but that is balanced with people who have more of the business perspective.

“It is going to be a necessary part of risk management to have an understanding of information systems and security, but it is still going to need some balance with the business knowledge side too in terms of risks – one is not going to supplant the other.”


The people problem

Ralph is also keen to underline the people risk aspect of cyber risk, as technology is never going to offer 100% protection while people are still responsible for operating systems.

“Regrettably, at the moment, the latest generation coming into the workforce do not have an appreciation of the issues we deal with on a corporate basis,” he says.

“There are more laissez faire in terms of how they treat the security and confidentiality, in terms of how they protect their information systems.”

Ralph says risk managers must continue to promote risk awareness to the people working in the business and bring them the same message about how the ultimate responsibility rests with them in terms of protecting a company’s systems.

“We [PCCW] are a critical industry by being in communications. We need to keep pushing that message and drive home where the risks are coming from and what needs to be done,” he says.

“We still have the responsibility from a risk management perspective to continually monitor the media and the professional feeds, to see what is happening out there.

“We [risk managers] must also work with different business units when they are developing products and solutions to ensure those business units think about if their solutions, systems and processes meet the security which is required.

Ralph says that risk managers have to take a more active role in contributing to the management of the company, especially in Asia.

“They have to be more proactive in coming forward with the solutions and identifying issues which need to be addressed – providing solutions or recommendations that could be adopted,” he advises.

“They need to ensure they look much broadly at what could be done to mitigate risks and to transfers risks.

“At the moment there are too many people who are called risk managers, but effectively they do little more than an extension of a purchasing officer and therefore their contribution involves going out and buying the cheapest insurance they can get, thinking that is the answer to risk management.

“That is what we must work on trying to improve in Asia.”

Reduced restrictions

Expanding on why he enjoys his role in risk, Ralph says he has the opportunity to get a “very holistic view across the company”.

“It does not restrict me to one of the operating units or one discipline itself,” says Ralph.

“I get to see how various parts of the company interact and how risks can propagate through the company, or how one area of opportunity can create risks for another area.

“I am able to take a broad view, but then to go down to a more detailed level and get people to work together to develop solutions which are beneficial to the whole of the company.”

Ralph says that working in a risk management capacity often makes him feel that he has made a very positive contribution to the company.

“It is more rewarding than when I was just doing the IT security,” he says.

“It was good to avoid attacks in IT security, but the absence of something is not as good a thing to hang on to. To say ‘we did a good job because this did not happen’ is not quite as fulfilling.”